Cyber Security Q/A

1. IPS and IDS

a. IPS-Intrusion prevention system
b. IDS-Intrusion detection system

i. IDS and IPS are both parts of the network infrastructure. IDS/IPS compare
network packets to a cyberthreat database containing known signatures of
cyberattacks-and flag any matching packets.
ii. The main difference is that IDS is a monitoring system and IPS is a control
system
iii. IDS doesn’t alter the network packets in any way, whereas IPS prevents the
packet from delivery based on the contents of the packet, much like how a
firewall prevents traffic by IP address
2. Explain risk, vulnerability, and threat
a. A threat exploits a vulnerability and can damage or destroy an asset.
b. Vulnerability refers to a weakness in your hardware, software, or procedures. (In
other words, it’s a way hackers could easily find their way into your system.)
c. Risk refers to the potential for lost, damaged, or destroyed assets
3. What’s the difference between Asymmetric and symmetric encryption and which one is
better?
a. Symmetric encryption uses the same key for both encryption and decryption, while
Asymmetric encryption uses different keys for encryption and decryption.
Symmetric is usually much faster but the key needs to be transferred over an
encrypted channel. Asymmetric is more secure but slow. Hence, a hybrid approach
should be preferred. Setting up a channel using asymmetric encryption and then
sending the data using a symmetric process.
4. What is XSS and how do you mitigate it?
a. Cross Site Scripting is a JavaScript vulnerability in web applications. The easiest way
to explain this is a case when a user enters a script in the client-side input fields and
that input gets processed w/out getting validated. This leads to untrusted data
getting saved and executed on the client-side. Countermeasures of XSS are input
validation, implementing a CSP (Content security policy), etc…
5. What is the difference between encryption and hashing?
a. Encryptions is reversible whereas hashing is irreversible. Hashing can be cracked
using rainbow tables and collision attacks but is not reversible.
b. Encryption ensures confidentiality whereas hashing ensures integrity.
6. What is CSRF?
a. Cross-Site Request Forgery is a web application vulnerability in which the server
does not check whether the request came from a trusted client or not. This request
is just processed directly. It can be further followed by the ways to detect this,
examples, and countermeasures.
7. What is the difference between XSS & CSRF
a. Since it doesn’t require any user interaction, XSS is believed to be more dangerous,
CSRF is restricted to the actions victims can perform. XSS, on the other hand, works
on the execution of malicious scripts enlarging the scope of actions the attacker can
perform.
 b. XSS requires only a vulnerability, while CSRF requires a user to access the malicious
page or click a link.
c. CSRF works only one way-it can only send HTTP requests but cannot view the
response. XSS can send and receive HTTP requests and responses in order to extract
the required data.
8. Is XSS Client-side attack or Server-side attack?
a. Client-side attack
9. What is IOC
a. Indicator of compromise in computer forensics is an artifact observed on a network
or in an operating system that, w/ high confidence, indicates a computer intrusion.
Ex hash, IP, domain, url, user-agent, etc…
10. Anti-virus vs EDR
a. EDR includes:
i. Real-time monitoring and detection of threats-including those that may not
be easily recognized or defined by standard antivirus. Also, EDR is behavior
based, so it can detect unknown threats based on behavior that isn’t normal
ii. Data collection and analysis determines threat patterns and alerts
organizations to threats
iii. Forensic capabilities can assist in determining what has happened during a
security event
b. Antivirus:
i. Antivirus is signature based, so it only recognizes threats that are known
ii. AV can include scheduled or regular scanning of protected devices to detect
known threats
iii. Assists in removal of more basic viruses (worms, trojans, malware, adware,
spyware, etc…)
iv. Warnings about possibly malicious sites
c. Do I need both?
i. No. EDR is sufficient

11. What is a firewall

a. A network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules
12. IPS vs Firewall
a. The main difference being that firewall performs actions such as blocking and
filtering of traffic while IPS/IDS detects and alerts a system administrator or prevent
the attack as per configuration. A firewall allows traffic based on a set of rules
configured
13. What is a Security Misconfiguration
a. Security Misconfiguration is a vulnerability when a device/application/network is
configured in a way that can be exploited by an attacker to take advantage of it. This
can be as simple as leaving the default username/password unchanged or too
simple for device accounts etc…
14. Black/White/Grey hat hackers
a. Black-those who hack w/out authority
b. White-those authorized to perform a hacking attempt under a signed DNA
c. Grey-white hats who sometimes perform unauthorized activities
15. How do you keep yourself updated w/ the information security news?
 a. By following blogs such as trendmicro blogs, hackernews, gbhacker, etc…
16. Name some recent attack and explain in brief
a. Explain log4j Vulnerability, spring4shell vulnerability
i. Log4j-a type of remote code execution vulnerability, and a very serious one
that allows an attacker to drop malware or ransomware on a target system.
This can, in turn, lead to complete compromise of the network and the theft
of sensitive information as well as the possibility of sabotage
ii. Spring4shell-allows attackers to exploit this pathway, making all connected
applications vulnerable to Remote Code Execution (RCE). RCE is a form of
cyberattack where hackers remotely inject malicious code into a
compromised machine
17. What is CIA
a. Confidentiality-keeping the information secret
b. Integrity-keeping the information unaltered
c. Availability-Information is always available to the authorized parties
18. HIDS vs NIDS-which one is better and why
a. HIDS is a host intrusion detection system and NIDS is a network intrusion detection
system. Both work on similar lines. It’s just that the placement is different. HIDS is
placed on each host whereas NIDS is placed in the network. For an enterprise, NIDS
is preferred as HIDS is difficult to manage, plus it consumes the processing power of
the host as well.
19. What is port scanning?
a. The process of sending messages in order to gather information about the network,
system, etc…by analyzing the response received
20. What’s the difference between VA and PT
a. Vulnerability Assessment is an approach used to find flaws in an application/network
whereas Penetration testing is the practice of finding exploitable vulnerabilities like
a real attacker will do. VA is like traveling on the surface whereas PT is digging it for
gold
21. What are some response codes from a web application
a. 1xx-Informational responses
b. 2xx-Success
c. 3xx-Redirection
d. 4xx-Client-side error
e. 5xx-Server-side error
22. When do you use tracert/traceroute
a. In case you can’t ping the final destination, tracert will help identify where the
connection stops or gets broken, whether it is the firewall, ISP, router, etc…
23. DDOS and its mitigation
a. Distributed Denial of Service. When a network/server/application is flooded with a
large number of requests which it is not designed to handle making the server
unavailable to legitimate requests. The requests can come from different not
related sources hence it is a distributed denial-of-service attack. It can be mitigated
by analyzing and filtering the traffic in the scrubbing centers. The scrubbing centers
are centralized data cleansing stations wherein the traffic to a website is analyzed
and the malicious traffic is removed
24. What is a WAF and what are its types
 a. WAF stands for web application firewall. It is used to protect the application by
filtering legitimate traffic from malicious traffic. WAF can be either a box type or
cloud-based
25. How do you handle Antivirus alerts
a. Check the policy for the AV and then the alert. If the alert is for a legitimate file then
it can be whitelisted and if this is a malicious file then it can be quarantined/deleted.
The hash of the file can be checked for reputation on various websites like virustotal,
malwares.com, etc… AV needs to be fine-tuned so that the alerts can be reduced
26. Blue team vs Red team
a. Red-Offensive
b. Blue-Defensive
c. Being on the red team seems fun but being on the blue team is difficult as you need
to understand the attacks and methodologies the red team may follow
27. What is a false positive and false negative in case of IDS? Which one is more acceptable?
a. When the device generated an alert for an intrusion that has actually not happened:
this is a false positive and if the device has not generated any alert and the intrusion
has actually happened, this is the case of a false negative.
b. False positives are more acceptable. False negatives will lead to intrusions
happening w/out getting noticed.
28. What is data leakage? How will you detect and prevent it?
a. Data leak is when data gets out of the organization in an unauthorized way. Data
can get leaked through various ways-emails, prints, laptops getting lost,
unauthorized upload of data to public portals, removable drives, photographs, etc…
b. There are various controls which can be placed to ensure that the data does not get
leaked, a few controls can be restricting upload on internet websites, following an
internal encryption solution, restricting the mails to the internal network, restriction
on printing confidential data, etc…
29. Open source software and licensed software, which one will you prefer?
a. Licensed software as the licensed version is updated and easy to track in an
organization
30. What is DNS
a. The Domain Name System (DNS) turns domain names into IP addresses, which
browsers use to load internet pages
31. What is TLD?
a. A TLD (top-level domain) is the most generic domain in the Internet’s hierarchical
DNS (domain name system). A TLD is the final component of a domain name, for
example, “org” in developer.mozilla.org. ICANN (Internet Corporation for Assigned
Names and Numbers) designates organizations to manage each TLD
32. What is Name Servers?
a. Name servers translate the domain name into an IP address, connecting information
that’s easy for humans to understand w/ information that’s easy for computers to
understand
33. Canonical Name
a. A canonical name (CNAME) is a type of domain name system (DNS) database record
that indicates that a domain name is the nickname or alias for another domain
name. Also referred to as the “true name,” the CNAME is especially important when
multiple services run from a single IP address
34. What details you find when you searched IP/Domain for DNS lookup?
 a. A, AAAA, SOA, Name Server etc…
35. What is DHCP
a. Dynamic Host Configuration Protocol (DHCP) is a network management protocol
used on Internet Protocol (IP) networks for automatically assigning IP addresses and
other communication parameters to devices connected to the network using a
client-server architecture. DORA is the main concept behind the working of DHCP
36. What is CVE? Which authority generates CVE?
a. CVE, shot for Common Vulnerabilities and Exposures, is a list of publicly disclosed
computer security flaws. CVEs are assigned by a CVE numbering authority (CAN)
37. What is a loopback address?
a. The IP address 12.0.0.1 is called a loopback address. Packets sent to this address
never reach the network but are looped through the network interface card only.
This can be used for diagnostic purposes to verify the internal path through the
TCP/IP protocols is working
38. Difference between thread and process?
a. A process is a program under execution i.e an active program. A thread is a
lightweight process that can be managed independently by a scheduler. Processes
require more time for context switching as they are more heavy. Threads require
less time for context switching as they are lighter than processes.
39. Difference between thread and services?
a. Service-a component of android which performs long running operation in
background, mostly w/out having UI.
b. Thread-an O.S. level feature that allows you to do some operation in the background
40. What is Kerberos
a. A computer-network authentication protocol that works on the basis of tickets to
allow nodes communicating over a non-secure network to prove their identity to
one another in a secure manner
41. What is 0x18 and 0x12 in Kerberos authentication?
a. 0x12. Clients credentials have been revoked. Accounts disabled, expired, locked
out, logon hours.
b. The failure code 0x18 means that the account was already disabled or locked out
when the client attempted to authenticate
42. What is kernel?
a. The kernel is an essential center of a computer operating system (OS). It is the core
that provides basic services for all other parts of the OS. It is the main layer
between the OS and hardware, and it helps w/ process and memory management,
file systems, device control, and networking
43. LDAP use and port numbering
a. LDAP is a tool for extracting and editing data stored in Active Directory and other
compatible directory service providers. Each user account in an AD has several
attributes, such as the user’s full name and email address. Extracting this
information in a usable format requires LDAP. Port 389
44. What are salted hashes?
a. Password hash salting is when random data-a salt-is used as an additional input to a
hash function that hashes a password. The goal of salting is to defend against
dictionary attacks against hashed passwords using a rainbow table
45. What’s a brute force attack? How will you mitigate it?
 a. It tries various combinations of usernames and passwords repeatedly until it gets in.
This repetitive action is like an army attacking a fort.
i. Mitigation-Limit the login attempts, enable 2FA, use captchas, and block
malicious IP etc…
b. What are encoding, hashing, and encryption?
i. Encoding-converts the data in the desired format required for exchange
between different systems
ii. Hashing-maintains the integrity of a message or data. Any change did any
did any day could be noticed
iii. Encryption-ensures that the data is secure and one needs a digital
verification code or image in order to open or access it
46. what are TCP header flags and what do they do?
a. SYN
b. URG
c. ACK
d. PSH
e. RST
f. FIN
47. What is VLAN? What is the difference between VPN and VLAN?
a. VPN-it is related to remote access to a network w/ a secured and encrypted tunnel.
Saves the data from prying eye while in transit and no one on the net can capture
the packets.
b. VLAN-helps to group workstations that are not w/in the same locations into the
same broadcast domain. Logically segregates networks w/out physical segregation
w/ switches. Does not involve any encryption.
48. Difference between proxy and VPN?
a. A VPN secures all your network traffic, while a proxy works on an application level.
They both hide your IP addresses, but only a VPN redirects your internet data
through an encrypted tunnel. A proxy is suitable for browsing the internet, but it’s
not as safe/secure as a VPN.
49. Difference between reverse proxy and forward proxy?
a. The main difference between the two is that forward proxy is used by the client such
as a web browser whereas reverse proxy is used by the server such as a web server.
50. SSL vs TLS? How does SSL work? Which one is better?
a. SSL-secure socket layer. It is a protocol that enables safe conversation between two
or more parties. It’s designed to identify and verify that the person you are talking
to on the other end is who they say they are. For example, HTTPS (Hypertext
Transfer Protocol Secure) is HTTP combined with SSL which provides safe browsing
w/ encryption
b. TLS-Transport layer security is another cryptographic protocol that provides
authentication and data encryption between servers, machines, and applications.
SSL is the predecessor to TLS and they can be used together.
c. SSL Handshake process
i. The client contacts the server and requests a secure connection. The server
replies with the list of cipher suites-algorithmic toolkits of creating
encrypted connection-that it knows how to use. The client compares this
against its own list of supported cipher suites, selects one, and lets the
server know that they will both be using it.
 ii. The server then provides its digital certificate, an electronic document
issued by a third-party authority confirming the server’s identity. This digital
certificate contains the server’s public cryptographic key. Once the client
receives the certificates, it confirms the certificate’s authenticity.
iii. Using the server’s public key, the client and server establish a session key
that both will use the rest of the session to encrypt communication
d. TLS is better than SSL
51. Difference between virus, worms, and trojan malware
a. Virus-a computer virus can automatically create and install a copy of itself on a
computer’s files, and -like a virus in humans-it can spread from computer to
computer. Viruses require a host program to exist, and they are initiated when the
user opens or runs this host file. Typically, this type of malware is designed only to
destroy a particular computer’s files, and the extent of its damage can vary. Some
viruses are simply annoying, while others can cause more serious damage that
requires the attention of a Maryland virus removal professional.
b. Worm-much like viruses, worms can automatically replicate and infect multiple files.
Unlike viruses, they can operate w/in a computer w/out a host file and without
attaching to an existing file. Many times, worms gain access to a computer via
email, while other times they enter the network through a vulnerability. Instead of
targeting a single computer, worms typically seek to harm an entire network or open
a backdoor for other malware
c. Trojan-named after the famed wooden gift horse Greek soldiers used to invade the
city of Troy, Trojans operate in a similar fashion. They are disguised as legitimate or
even beneficial programs, and once a user enables them, they infect the computer.
They are not self-replicating and can only be spread by user interaction, typically
through email attachments or internet downloads.
52. What is chain of custody?
a. For legal cases the data/device (evidence) needs to be integrated, hence any access
needs to be documented-who, what, when, and why. Compromise in this process
can cause legal issues for the parties involved.
53. What is an IP address?
a. An address having information about how to reach a specific host, especially outside
a LAN. An IP address is a 32-bit unique address having an address space of 232.
Generally, there are two notations in which IP addresses are written, dotted decimal
notation and hexadecimal notation.
b. The Internet Assigned Numbers Authority (IANA) is a standard organization that
oversees global IP address collection, autonomous system number allocation, root
zone management in the Domain Name System (DNS), media types, and other
internet protocol-related symbols and internet numbers.
54. What are the different classes of IP addresses and give the range of each class
a. A
i. 1.0.0.0 to 126.255.255.255
1. Default Subnet Mask-255.0.0.0
b. B
i. 1.28.0.0.0 to 191.255.255.255
1. Default Subnet Mask-255.255.0.0
c. C
i. 192.0.0.0 to 223.255.255.255
 1. Default Subnet Mask-255.255.255.0
d. D
i. 224.0.0.0 to 239.255.255.255
1. Default Subnet mask-Reserved for multicasting
e. E
i. 240.0.0.0 to 254.255.255.255
1. Default Subnet Mask-Experimental
f. Class A addresses 127.0.0.0 to 127.255.255.255 cannot be used and is reserved for
loopback testing
55. What is Subnet Mask?
a. A 32-bit number that is used to identify the subnet of an IP address. The subnet
mask is a combination of 1’s and 0’s. 1’s represent network and subnet ID while 0’s
represent the host ID. In this case, the subnet mask is,
i. 11111111.11111111.11111111.11000000
ii. 255.255.255.192
56. What is a default gateway?
a. A gateway is a node that routes the traffic from a workstation to another network
segment. The default gateway commonly connects the internal networks and the
outside network (internet).
b. In such a situation, the gateway node could also act as a proxy server and a firewall
c. To know your default gateway
i. Open “cmd”, the command prompt. At the prompt, enter ipconfig. This will
display your network information, including your default gateway
57. What protocol is used by PING
a. ICMP (Internet control message protocol) is used by PING
58. Name the ports used by FTP protocol
a. Control connection: For sending control information like user identification,
password, commands to change the remote directory, commands to retrieve and
store files, etc…, FTP makes use of connections. The control connection is initiated
on port number 21
b. Data connection: For sending the actual file, FTP makes use of a data connection. A
data connection is initiated on port number 20
59. What is MAC address
a. Unique 48-bit hardware numbers of computers, which are embedded in a network
card (Network interface card) during the time of manufacturing
60. What is IP multicast
a. Multicasting has one/more senders and one/more recipients participate in data
transfer traffic
b. In multicasting, traffic reclines between the boundaries of unicast and broadcast
c. Its server’s direct single copies of data streams and that are then simulated and
routed to hosts that request it
61. Differences between public and private IP address
a. Private IP address is used with a local network and public IP address is used outside
the network. Public IP address is provided by ISP, Internet Service Provider.
62. What is Network Address Translation (NAT)
a. A process in which one or more local IP addresses is translated into one or more
Global IP addresses and vice versa in order to provide Internet access to the local
hosts
63. Difference between static and dynamic IP
a. Static IP does not change at any time, which means if a static IP address is provided
then it can’t be changed or modified
b. Dynamic IP addresses static changes at any time
64. Is it possible to have an IPv4 and an IPv6 address simultaneously?
a. Yes
65. Ipconfig
a. IPCONFIG stands for Internet Protocol Configuration. This is a command-line
application that displays all the current TCP/IP (Transmission Control
Protocol/Internet Protocol) network configuration, refreshes the DHCP (Dynamic
Host Configuration Protocol) and DNS (Domain Name Server)
66. What is 127.0.0.1
a. Loopback address
67. Difference between ipconfig and ipconfig commands
a. Ifconfig (interface configuration) command is used to configure the kernel-resident
network interfaces. OS example Linux
b. IPCONFIG stands for Internet Protocol which displays the same information as
ifconfig but it is for windows
68. What is the location of Prefetch files in Windows?
a. C:\Windows\Prefetch
69. What is the forensic tool KAPE used for?
a. Fast acquisition of files important to a digital forensics investigation
70. Important browser files can be retrieved using both KAPE and Browser History Capturer.
True or False?
a. True
71. Benefit of logging PowerShell
a. Malicious insiders could use PowerShell to perform malicious actions that cause
damage or disruption, and recording executed commands can help determine who
is responsible, and what they did
b. Employees could use PowerShell and unintentionally cause disruption or damage,
and logging commands can allow for the issue to be resolved
c. PowerShell logging can provide a number of benefits to the organization, not just
the security team
72. What information is contained in the file located at /etc/passwd?
a. The passwd file contains information about all user accounts on the system
73. What information is contained in the file located at /etc/shadow?
a. A list of encrypted passwords associated with existing users on the system
74. What text character does a file name or directory name need to start with to make it hidden
from the graphical file browser, and the “ls” command?
a. .
75. What tool can be used to embed message in to, and view the metadata of files?
a. ExifTool
76. What information does the .bash_history file contain
a. The .bash_history file contains all of the commands that have been entered to the
terminal, even if the user clears the local history using “history -c”
77. What benefits does an incident response program bring to an organization
a. Ensuring a timely recovery of affected systems to ensure business operations
continuity
 b. Reducing the damage that can be done by successfully cyberattacks by containing
and limiting the actions conducted by attackers
c. Learning from previous incidents to improve overall defenses, making it easier to
protect against and contain future attacks
78. What is the first stage of the NIST incident response lifecycle
a. Preparation
79. Which phase of the NIST incident response lifecycle would the process of removing
malicious artifacts (such as backdoors or scripts) be included in
a. Containment, Eradication and Recovery
80. Which framework is considered to be the most updated and relevant, according to the
security community
a. MITRE ATT&CK Framework
i. It has a wider scope and is more applicapble to modern cyber attacks
81. What is the difference between security events, and security incidents?
a. All security incidents were events, but not all events become incidents
82. What is the name of the final column (right) on the ATT&CK Matrix for Enterprise Webpage
a. Impact is the final tactic in this framework. This is where adversaries complete their
intended actions and goals
83. What is the name given to a network that is created between the internet and a private
network
a. DMZ. the name give to a network that intentionally has internet access and
provides a gap between the internet and corporate networks
84. Security warning signs on a perimeter fence is an example of which physical security control
a. Warning signs act as a deterrent, informing individuals of what they should not do
85. Which of the following are Intrusion Detection Systems (IDS)
a. Snort, Suricata, and Bro/Zeek are all examples of NIDS
86. The results of risk assessments are considered during the preparation stage because they
allow appropriate resources to be assigned to defend systems of high value to the business.
True or false?
a. True. Risk assessments help the organization understand which systems need
priority based on their value to the company
87. How often (typically) do organizations run security awareness training events for their
employees?
a. Every 12 months
88. What is the name given to an attack where multiple systems attempt to crash a target by using
up all of its resources, such as a web server hosting a website? Select the most appropriate
answer.
a. Distributed denial of service attack
89. A security organization spends a week capturing and reviewing network traffic to create a profile
of what is deemed to be 'normal' traffic. They can now compare future traffic against this profile
to detect anomalies. What is this process called?
a. This process is called baselining, where a ‘normal’ sample of traffic is taken, so future
samples can be compared to it to identify anomalies
90. In Wireshark we can export visited webpages or downloaded files if we have captured all of the
relevant traffic. True or False?
a. True
91. What is the acronym used to describe a network scan originating from an internal host to other
internal hosts?
 a. L2L is the acronym for local-to-local scanning
92. During an incident, the investigation highlighted that the compromise was caused by an attacker
exploiting a vulnerability in a web server, as the server didn't have the latest patches and security
updates applied. The server has been classed as critical to the business, and risk mitigation is the
best option. Which of the following actions should be taken?
a. Patch the system so it has the latest updates
b. Implement a Web application Firewall (WAF) to detect and protect against exploitation
activity by performing rate limiting and blocking
c. Configure the web server to send logs via Syslog to the SIEM so it can be correlated and
analyzed, generating alerts for human analysts to investigate when suspicious activity is
discovered
d. Configure a proxy to sit in front of the web server, allowing the proxy to handle requests,
preventing fingerprinting and exploitation against the web server
93. Which of the following actions can be used to effectively remove all malicious artifacts related to
an incident in one go?
a. Restoring from a known-good backup is the best way to remove all malicious artifacts
94. If a malware infection incident occurs, traffic should be sniffed to see if the infected host is
attempting to reach out to a system on the internet, such as a command and control server. If
this is observed, blocking the destination IP address on perimeter firewalls, or a local firewall,
could help to sever the C2 connection. True or false?
a. True
95. Select ANY items that could be classed as malicious artifacts.
a. Scheduled tasks
b. Running processes
c. User accounts
d. Files
96. What security control would be most appropriate to detect C2 communication and data
exfiltration?
a. NIDS. This would be able to detect suspicious network activity. Examples include
Snort or Bro/Zeek
97. What is the ATT&CK technique associated with T1547?
a. T1547 is the technique ID for boot or logon autostart execution
98. The MITRE ATT&CK Framework is a more modern version of the Lockheed Martin Cyber Kill
Chain. True or False?
a. True. The ATT&CK framework has a wider scope and is more applicable to modern
cyber attacks
99. T1078 Valid Accounts is under the Initial Access tactic. What are the three other tactics this
technique is a part of?
a. Defense evasion
SPLUNK

1. When looking at events/logs in Splunk, what is the highest-level category that logs can be
grouped into?
a. Sourcetype
2. Matching
a. Suricata-Suricata NIDS
b. Xmlwineventlogs-Sysmon logs
c. Fortigate_UTM-the Fortigate Unified Threat Management firewall
d. Wineventlogs-standard Windows event logging
3. We are trying to get the number of destination IP addresses that a system has connected to.
If the source IP is 192.168.1.100 and the destination IP field name is ‘dst_ip’, what search
query would we use to find the total number of destination IPs and how many times a
destination IP appears in the logs?
a. Index=”botsc1” src_ip=192.168.1.100|stats count by dst_ip